[MIR] pymacaroons, python-libnacl

Bug #1746772 reported by Andres Rodriguez on 2018-02-01
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pymacaroons (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Chad Smith
Xenial
Undecided
Chad Smith

Bug Description

pymacaroons
=============

1. Availability: all

2. Rationale:
macaroon is a new dependency that MAAS will use. This provides the library for macaroon based authentication, which MAAS will use for the support remote/centralized authentication.

3. Security:
No CVE's

4. QA:
0 bugs in debian/ubuntu

5. UI standards:
None

6. Dependencies:

Dependencies in universe:
 - python{3}-libnacl - Python 3 bindings for libsodium based on ctypes

7. Standards:
No lintian errors.

Packaged with debhelper. Source format is 3.0 (quilt)

Standards version: 3.9.8

8. Maintenance:
Easy.

9. Background information:
This package provides the macaroon library for MAAS to allow it to work for macaroon based authentication systems.

summary: - [MIR] pymacaroons
+ [MIR] pymacaroons, python-libnacl
description: updated
Matthias Klose (doko) wrote :

missing bug subscribers

Changed in pymacaroons (Ubuntu):
status: New → Incomplete
Changed in python-libnacl (Ubuntu):
status: New → Incomplete
Andres Rodriguez (andreserl) wrote :

As per comments from cjwatson, setting it as New:

09:42 < cjwatson> different upstream projects with incompatible APIs
09:43 < cjwatson> more or less similar functions
09:43 < cjwatson> but AIUI switching from one to the other is basically a rewrite

Changed in pymacaroons (Ubuntu):
status: Incomplete → New
Changed in python-libnacl (Ubuntu):
status: Incomplete → New
Andres Rodriguez (andreserl) wrote :

Also, MAAS maintainers is now a bug subscriber.

Colin Watson (cjwatson) wrote :

I've uploaded pymacaroons 0.13.0 to unstable, which switches from python-libnacl to python-nacl (and was easier than I expected!). Once this lands in bionic, I think you can drop python-libnacl from this MIR.

Andres Rodriguez (andreserl) wrote :

pymacarrons 0.13.0 has made it into the ubuntu archive, dropping MIR for python-libnacl.

no longer affects: python-libnacl (Ubuntu)
description: updated

Reviewed the whole thing, there is now a bug subscriber. There's some crypto use but all through other libraries we've already MIRed (or in progress), and none of it looks crazy. MIR approved.

(This is still going to be blocked on python-nacl though...)

Changed in pymacaroons (Ubuntu):
status: New → Fix Committed
Steve Langasek (vorlon) wrote :

Override component to main
pymacaroons 0.13.0-1 in bionic: universe/misc -> main
python-pymacaroons 0.13.0-1 in bionic amd64: universe/python/optional/100% -> main
python-pymacaroons 0.13.0-1 in bionic arm64: universe/python/optional/100% -> main
python-pymacaroons 0.13.0-1 in bionic armhf: universe/python/optional/100% -> main
python-pymacaroons 0.13.0-1 in bionic i386: universe/python/optional/100% -> main
python-pymacaroons 0.13.0-1 in bionic ppc64el: universe/python/optional/100% -> main
python-pymacaroons 0.13.0-1 in bionic s390x: universe/python/optional/100% -> main
python3-pymacaroons 0.13.0-1 in bionic amd64: universe/python/optional/100% -> main
python3-pymacaroons 0.13.0-1 in bionic arm64: universe/python/optional/100% -> main
python3-pymacaroons 0.13.0-1 in bionic armhf: universe/python/optional/100% -> main
python3-pymacaroons 0.13.0-1 in bionic i386: universe/python/optional/100% -> main
python3-pymacaroons 0.13.0-1 in bionic ppc64el: universe/python/optional/100% -> main
python3-pymacaroons 0.13.0-1 in bionic s390x: universe/python/optional/100% -> main
13 publications overridden.

Changed in pymacaroons (Ubuntu):
status: Fix Committed → Fix Released
Seth Arnold (seth-arnold) wrote :

python-nacl MIR request here: https://bugs.launchpad.net/ubuntu/+source/python-nacl/+bug/1747460

(I found this one first when searching and was confused about the python-libnacl vs python-nacl difference.)

Thanks

Chad Smith (chad.smith) wrote :

For UA Client the server team would like to request pulling back python3-pymacaroons to trusty as well.

Changed in pymacaroons (Ubuntu):
status: Fix Released → New
Chad Smith (chad.smith) wrote :

This is a request for ack of inclusion of python3-pymacaroons 0.9.2 in trusty main

ubuntu-advantage-tools has a direct dependency on python3-pymacaroons and is targeted for inclusion in trusty. This is a request for ack to include python-pymacaroons version 0.9.2 which is also in xenial. This version of python-pymacaroons depends on python-libnacl which in turn depends on libsodium18. Both of these deps require MIRs as well

python-libnacl: #1817327
libsodium18: #1621386

I added tasks for Xenial and Trusty, the main task I set back to fix released as that is truly complete and didn't change. This is "just" for the time-warping back for X/T which we will have to evaluate.

I'll start on the MIR evaluation of those later on today

Changed in pymacaroons (Ubuntu):
status: New → Fix Released
Changed in pymacaroons (Ubuntu Trusty):
assignee: nobody → Christian Ehrhardt  (paelzer)
Changed in pymacaroons (Ubuntu Xenial):
assignee: nobody → Christian Ehrhardt  (paelzer)

This is a special case, as we have the newer versions already in main in Bionic.
Therefore the evaluation checks if the older version has CVEs, packaging issues and such - but is no full re-evaluation.

[Duplication]
No duplication, this is the python entrypoint for macaroons handling

[Embedded sources and static linking]
- no embedded sources
- no static linking
- no golang

[Security]
This is one of the biggest parts of the re-check as we need to ensure that the older version has no known or unmaintainable deficiencies
But it seems fine - no existing CVEs associated.

It still is security sensitive, as it's purpose is to handle tokens that entitle users of a given feature.
Therefore I'd want an ack by the ubuntu-security team - which given it is a re-review should go fast as well.

[Common blockers]
- builds fine in Xenial last time, I asked for a rebuild to prove that also trusty will be fine
- no tests at build time, but then this is only re-evaluating and the version in Bionic has not more
- the maas team is already subscribed to the package
- no user visible output that needs translation
- only python3 dependencies are used (but then for Xenial/Trusty this wouldn't even be important)
- dh_python is in use

[Packaging red flags]
- no ubunut Delta (the ubuntu1 comes by being a backport alrady)
- python library, no symbols management needed
- debian/watch present
- updates were ok so far (it isn't moving too fast thou)
- no massive Lintian warnings
- very clean d/rules (almost only dh @)

[Upstream red flags]
- no build errors on the Xenial version that will be added to main
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no open bugs
- no dependency on webkit, qtwebkit, seed or libgoa-*

Note on the Versions:
This will use the version 0.9.2 in Xenial for X&T, I checked the git log of https://github.com/ecordell/pymacaroons.git
Obviously there are fixes/improvments, but no blockers and nothing that would right now outweight the SRU risk pushing the newer version.
The only relevant seems "verification for nested third party caveats" which ua-tools triggering this MIR needs to check if they can live with it.
I discussed this already and tests with the version in Xenial as-is are good.

Security already monitors this and there are no major changes in place - therefore no security re-check needed.
Version differences of 0.9.2-0ubuntu1 in Xenial (and eventually Trusty) instead of the 0.13.0-1 that is in main are not too big as the package is mostly a wrapper for NaCl/Sodium functionality.

[Summary]
As expected - since the newer versions are already in main - this wasn't too critical.
After comparing the differences of the version in main in bionic to what shall be promoted in Xenial/Trusty there were no blockers identified.

TODOs:
@Chad - since this wasn't built a long time in Xenial and never before in Trusty. Could you please provide a PPA that builds the set of three packages in both Releases?
Assigned to Chad until PPAs are provided - once builds are shown to be good on X&T this can be approved.

Changed in pymacaroons (Ubuntu Trusty):
assignee: Christian Ehrhardt  (paelzer) → Chad Smith (chad.smith)
Changed in pymacaroons (Ubuntu Xenial):
assignee: Christian Ehrhardt  (paelzer) → Chad Smith (chad.smith)

I proved the (re)build quality for Xenial (to be sure) and since it will be new for Trusty as well.

Xenial: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3667
Trusty: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3668

Both releases build logs seem sane, no FTBFS and no deviation from what was checked (Xenial LP builds) in the MIR review.

That said I think we can start prepping that for the Trusty new queue as SRU already.

The package is now in trusty-proposed (universe) and ready for promotion once the ubuntu-advantage-tools upload pulling it in appears in -proposed.

Updating the state of the bug per https://wiki.ubuntu.com/MIRTeam#Process_states

Changed in pymacaroons (Ubuntu Trusty):
status: New → In Progress
Changed in pymacaroons (Ubuntu Xenial):
status: New → In Progress
Alex Murray (alexmurray) on 2019-03-21
Changed in pymacaroons (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Alex Murray (alexmurray) wrote :

I reviewed pymacaroons 0.9.2-0ubuntu1 as checked in to Xenial.

pymacaroons is a python implementation of the Macaroon concept - like
cookies but with caveats, allowing delegation and attenuation of
authority - so kind of like capabilites (the real ones, not POSIX /
Linux ones).

- No CVE history in our database
- Depends:
  - debhelper, dh-python, python[3], python[3]-all, python[3]-libnacl,
    python[3]-setuptools, python[3]-six
  - Nothing out of the ordinary for a python package, in particular uses
    python[3]-libnacl for the crypto
- Does not itself do networking
- Does not daemonize
- No pre/post inst/rm
- No init scripts
- No dbus services
- No setuid files
- No binaries in the PATH
- No sudo fragments
- No udev rules
- No test suite - upstream has one but this does not seem to exist in
  the orig tarball and no autopkgtest either :(
- No cron jobs
- Clean build logs

- No subprocesses spawned
- No file IO
- No logging
- No environment variable use
- No privileged functions
- No networking
- No privileged portions of code
- No temp files
- No WebKit
- No PolKit

No particular issues identified other than the missing test suite :/ -
security team ACK for promoting to main for Xenial/Trusty.

Changed in pymacaroons (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Steve Langasek (vorlon) wrote :

Override component to main
pymacaroons 0.12.0-1~ubuntu16.04.1 in xenial: universe/python -> main
1 publication overridden.
Override component to main
python3-pymacaroons 0.12.0-1~ubuntu16.04.1 in xenial amd64: universe/python/optional/100% -> main
python3-pymacaroons 0.12.0-1~ubuntu16.04.1 in xenial arm64: universe/python/optional/100% -> main
python3-pymacaroons 0.12.0-1~ubuntu16.04.1 in xenial armhf: universe/python/optional/100% -> main
python3-pymacaroons 0.12.0-1~ubuntu16.04.1 in xenial i386: universe/python/optional/100% -> main
python3-pymacaroons 0.12.0-1~ubuntu16.04.1 in xenial powerpc: universe/python/optional/100% -> main
python3-pymacaroons 0.12.0-1~ubuntu16.04.1 in xenial ppc64el: universe/python/optional/100% -> main
python3-pymacaroons 0.12.0-1~ubuntu16.04.1 in xenial s390x: universe/python/optional/100% -> main
7 publications overridden.

Changed in pymacaroons (Ubuntu Xenial):
status: In Progress → Fix Released
Steve Langasek (vorlon) wrote :

Override component to main
pymacaroons 0.9.2-0ubuntu1~ubuntu14.04.2 in trusty: universe/python -> main
1 publication overridden.
python3-pymacaroons 0.9.2-0ubuntu1~ubuntu14.04.2 in trusty amd64: universe/python/optional/100% -> main
python3-pymacaroons 0.9.2-0ubuntu1~ubuntu14.04.2 in trusty arm64: universe/python/optional/100% -> main
python3-pymacaroons 0.9.2-0ubuntu1~ubuntu14.04.2 in trusty armhf: universe/python/optional/100% -> main
python3-pymacaroons 0.9.2-0ubuntu1~ubuntu14.04.2 in trusty i386: universe/python/optional/100% -> main
python3-pymacaroons 0.9.2-0ubuntu1~ubuntu14.04.2 in trusty powerpc: universe/python/optional/100% -> main
python3-pymacaroons 0.9.2-0ubuntu1~ubuntu14.04.2 in trusty ppc64el: universe/python/optional/100% -> main
6 publications overridden.

Changed in pymacaroons (Ubuntu Trusty):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers